Secunia

Multiple vulnerabilities have been reported in various Oracle products. Some have an unknown impact and others can be exploited to conduct SQL injection attacks or compromise a vulnerable system.

Details have been disclosed for the following vulnerabilities:

1) Input passed to the "IMPORT_CHANGE_SET", "IMPORT_CHANGE_TABLE", "IMPORT_CHANGE_COLUMN", "IMPORT_SUBSCRIBER", "IMPORT_SUBSCRIBED_TABLE", "IMPORT_SUBSCRIBED_COLUMN", "VALIDATE_IMPORT", "VALIDATE_CHANGE_SET", "VALIDATE_CHANGE_TABLE", and "VALIDATE_SUBSCRIPTION" procedures provided by the "sys.dbms_cdc_impdp" package is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires permissions to create a PL/SQL function.

2) Input passed to the "MAIN" procedure provided by the "sys.kupw$worker" package is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires permissions to create a PL/SQL function.

3) Input passed to the "sys.dbms_stats" package is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires permissions to create a PL/SQL function.

4) Input passed to the "sys.dbms_upgrade" package is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires permissions to create a PL/SQL function.

Solution
Apply patches (see vendor advisory).

Provided and/or discovered by
1-4) Alexander Kornbrust, Red Database Security.

The vendor also credits the following people:
* Esteban Martinez Fayo, Application Security Inc.
* Dr. Christian Kleinewaechter and Swen Thuemmler, infinity3.
* David Litchfield, Next Generation Security Software.

Original Advisory
Oracle:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2006.html

Red Database Security:
http://www.red-database-security.com/advisory/oracle_cpu_jul_2006.html
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_cdc_impdp.html
http://www.red-database-security.com/advisory/oracle_sql_injection_kupw$worker.html
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_stats.html
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_upgrade.html

Deep Links
Links available in Customer Area